Last Update: August 11, 2020
Data Processing Agreement
Agreement relating to the performance of commissioned data processing services pursuant to Article 28 GDPR
This data processing agreement is between
- Customer -
GmbH Erich-Weinert-Straße 145
- Data Processor -
§ 1 Preamble, Subject-Matter and Order of Precedence
(1) General. This agreement (the "Data Processing Agreement") forms part of the master agreement between you and zenloop relating to the provision of our Services (the "Agreement").
(2) Subject matter of Agreement. This Data Processing Agreement describes how zenloop will Process Survey Recipient Data that you provide to us in connection with your use of our Services, in accordance with the requirements of Data Protection Laws.
(3) Conflicts. In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of the Agreement.
§ 2 Definitions
Throughout this Data Processing Agreement, we may use certain words or phrases, and it is important that you understand the meaning of them. The list is not all-encompassing and no definition should be considered binding to the point that it renders this Data Processing Agreement nonsensical:
(1) "Agreement" means the agreement between you and zenloop relating to the provision of our Services, as set forth in our Terms of Service.
(2) "Customer" or "you" refers to you, the person who is entering into the Agreement (including this Data Processing Agreement) with zenloop; If you use our Services on behalf of an organization, you agree to these terms on behalf of that organization and you represent that you have the authority to do so. In such case, "Customer" or "you" will refer to that organization.
(3) "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the processing of personal data (including in connection with providing telecommunication services and conducting email marketing), and including, without limitation, the GDPR, the German Act Against Unfair Competition (UWG), the German Telecommunications Act (TKG) and the German Telemedia Act (TMG).
(4) "GDPR" means the General Data Protection Regulation.
(5) "Process" or "Processing" means any operation or set of operations which is performed by zenloop as part of the Services upon Survey Recipient Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(6) "Services" means the services that we provide through our Site, including our customer insight and loyalty services.
(7) "Site" means our website, www.zenloop.com, as well as the associated platform.
(8) "Subprocessor" means a third party subcontractor engaged by zenloop which, as part of the subcontractor's role of delivering the Services, will Process Survey Recipient Data.
(9) "Survey Recipient" means any identified or identifiable natural person who is a customer, employee or business contact of yours and who has been or will be contacted by you through our Site.
(10) "Survey Recipient Data" means any personal information relating to a Survey Recipient that you or any of your Survey Recipients provide to zenloop in connection with your use of the Services.
Other terms have the definitions provided for them in the Agreement or as otherwise specified below.
§ 3 Scope, Duration, Type of Survey Recipient Data and Categories of Data Subjects
(1) General Scope. Under the terms of this Data Processing Agreement, zenloop will Process Survey Recipient Data on behalf of Customer in accordance with article 28 GDPR.
(2) Duration. This Data Processing Agreement shall be effective for the duration of zenloop's Services under the Agreement, and shall terminate automatically upon expiration or termination of the Agreement for any reason.
(4) Types of Data. Processing may include the following types/categories of Survey Recipient Data: personal information including name or email address, IP address, usage data, device data, referral data and information from cookie and page tags.
(5) Categories of Data Subjects. The persons concerned by the Processing hereunder are assigned to the following categories: (i) customers of Customer; (ii) employees of Customer; and (iii) business contacts of Customer; in each case (i) through (iii) above, to the extent such customer, employee or business contact has been or will be contacted by you through our Site.
§ 4 Customer Instructions
(1) Processing Instructions. During our Services, you may provide instructions to us in addition to those specified in this Data Processing Agreement with regard to the processing of Survey Recipient Data (each such instruction hereinafter, a "Processing Instruction") in connection with our Services. Any Processing Instruction must be in writing or in electronic form. We will process your Survey Recipient Data according to your instructions.
(2) Change requests. Any Processing Instruction that amends or deviates from the terms of this Data Processing Agreement will constitute a change request and will be subject to the requirements set forth in § 14(1). We will negotiate in good faith with you with respect to any change in the Services and/or fees resulting from any Processing Instructions.
(3) Compliance of Processing Instructions with Data Protection Laws. You are responsible for ensuring that your Processing Instructions comply with Data Protection Laws.
(4) Notification. If we believe that a Processing Instruction infringes or violates the GDPR or other Data Protection Laws, we will immediately inform you thereof.
§ 5 Obligations and Rights of the Customer
(1) Compliance of Processing with Data Protection Laws. You are responsible for ensuring that the Processing of Survey Recipient Data hereunder complies with the requirements of Data Protection Laws, including, but not limited to, concerning (i) the transmission of Survey Recipient Data to zenloop (including providing any required notices and obtaining any required consents), (ii) the use of any Survey Recipient Data in connection with any marketing or advertising you conduct, and (iii) your decisions and actions regarding the Processing and use of the Survey Recipient Data.
(2) Customer as Controller. You will be the controller as defined in article 4 paragraph 7 GDPR. You shall have sole responsibility for the accuracy, quality, and legality of Survey Recipient Data and the means by which you have acquired Survey Recipient Data.
(3) Record of Processing Activities. You will maintain a record of processing activities under your responsibility in accordance with article 30 GDPR.
(4) Notification obligation. You will, without undue delay, inform us of any defect you may detect in our Services, and of any irregularity in the implementation of statutory regulations on data privacy.
§ 6 zenloop Obligations
(1) Processing solely for provision of Services. We will Process your Survey Recipient Data only on documented instructions from you and solely for the provision of the Services in accordance with article 28 paragraph 3 a) to h) GDPR and will not otherwise (i) Process or use your Survey Recipient Data for purposes other than those set forth in the Agreement or this Data Processing Agreement or (ii) disclose your Survey Recipient Data to third parties other than Subprocessors for the aforementioned purposes or as required to do so by Union or Member State law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
(2) Processing within and outside the EU/EEA. We will generally Process Survey Recipient Data within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area. In some instances, we may also transfer Survey Recipient Data to our third party service providers located in the United States of America; please see our **annex 2** for details on the third party service providers we use.
(3) Personnel of zenloop. We will ensure that our personnel engaged in and authorized for the Processing of Survey Recipient Data are informed of the confidential nature of the Survey Recipient Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(4) Our data protection officer. We have appointed a data protection officer: Inna Gendelman, ISiCO Datenschutz GmbH, Am Hamburger Bahnhof 4, 10557 Berlin. The person may be reached by email via firstname.lastname@example.org.
§ 7 Technical and Organizational Measures
(1) zenloop TOMs measures. When we Process Survey Recipient Data on your behalf, we will take all measures required pursuant to Article 32 GDPR, and have implemented and will maintain certain technical and organizational security measures for the Processing of such data, as such measures are specified in **Annex 1**. These measures are intended to protect Survey Recipient Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
(2) Changes to TOMs. All technical and organizational security measures are subject to technical progress and development. Accordingly, we may modify our security measures and/or implement alternative security measures, provided, however, that these do not fall short of the level of security as contractually agreed upon in Annex 1.
§ 8 Customer Audit Rights
(1) Customer Audits. You may, prior to the commencement of our Services and up to once per year during the performance of our Services, audit the technical and organizational measures implemented by zenloop. You may perform more frequent audits to the extent required by Data Protection Laws.
(2) Details regarding Audits. In the course of such audit, you may, in particular, conduct the following measures: (i) You may obtain all such information from zenloop that is necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement. (ii) You may request zenloop to submit to you an existing certificate by a qualified third party auditor. (iii) You may, upon reasonable advance agreement, during regular business hours and without interfering with zenloop's business operations, conduct an on-site inspection of those parts of zenloop's business facilities where Survey Recipient Data is being processed, subject to zenloop's then-applicable security policies.
(3) On-Site Inspections. To request an on-site inspection, you must submit an inspection plan to us at least two weeks in advance of the proposed inspection date, describing the proposed scope, duration and start date of the inspection. We will review the inspection plan and provide you with any concerns or questions (for example, any request for information that could compromise zenloop's security, privacy, employment or other relevant policies).
(4) Report in lieu of audit. If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within the prior twelve months, you agree to accept those findings in lieu of requesting an audit of the systems covered by the report.
(5) Sharing of reports. You will provide us with any audit reports generated under this section, unless prohibited by law. You may use the audit reports only for the purpose of confirming that our technical and organizational measures are in compliance with the requirements of this Data Processing Agreement. The audit reports are confidential information of the parties under the terms of the Agreement.
(6) Costs of audits. Any audits are at your expense. Any request for zenloop to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for the provision of the Services. We will seek your written approval and agreement to pay any related fees before performing such audit assistance.
(7) Third party auditors. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and zenloop and must execute a written confidentiality agreement acceptable to zenloop before conducting the audit.
§ 9 Subprocessors
(1) Subprocessors. We may engage Subprocessors to assist in the Processing of your Survey Recipient Data. By entering into this Data Processing Agreement with us, you give your prior general written authorization to our use of Subprocessors in accordance with article 28 paragraph 2 GDPR. A list of Subprocessor is providedin Annex 2. Where we intend to add or replace a Subprocessor, we will inform you of such intended change, thereby giving you the opportunity to object to such change. If you don’t object within two weeks from our notification regarding the change of a Subprocessor, it has the same effect as a consent.
(2) Our agreements with Subprocessors. We will ensure that all of our Subprocessors are required to abide by substantially the same obligations as zenloop under this Data Processing Agreement as applicable to their performance of the Services. This shall apply in particular, but not be limited to, the requirements in § 4,§ 7,§ 8, and § 10to § 13. zenloop remains responsible at all times for compliance with the terms of this Data Processing Agreement by all Subprocessors engaged in the performance of our Services to you.
(3) As far we work with freelancers, who have access to your personal data, we ensure that we only collaborate with freelancers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a freelancer is governed by a data processing agreement which ensures the same data protection standard you and we agreed on. We will provide a list of the freelancers upon request.
(4) Copies of relevant terms. You are entitled, upon written request, to receive copies of the relevant terms of zenloop's agreement with each Subprocessor that Processes your Survey Recipient Data, unless the agreement contains confidential information, in which case zenloop may provide a redacted version of the agreement.
(5) Ancillary Services. This § 9shall not apply where we engage third parties for ancillary services; these include, but are not limited to, telecommunications services, mail and shipping services, building security services, facility management services, and services relating to the cleaning or disposal of data media.
§ 10 Rights of Data Subjects
(1) Pass-through of Data Subject requests. Where a Data Subject requests us to correct, delete or block Survey Recipient Data, we will pass on such request to you. zenloop will not respond to any requests of Data Subjects without your prior written consent.
(2) Assistance. Where a Data Subject requests you to correct, delete or block Survey Recipient Data or to provide information about the collection, processing or use of Survey Recipient Data in connection with our Services and you are unable to fulfil the request by yourself through our Site, we will support you in responding to the request and in fulfilling the request by appropriate technical and organisational measures, insofar as this is possible, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for the cost and expenses incurred in providing such support.
§ 11 Deletion of Data and Return of Data Media
(1) No copies or duplicates. We will not create copies or duplicates of your Survey Recipient Data without your prior knowledge. Notwithstanding the preceding sentence, we may (i) create backup copies, to the extent such backup copies are required to ensure the proper Processing of Survey Recipient Data, and (ii) prepare and retain copies of Survey Recipient Data where required by us to comply with any statutory retention and storage obligations.
(2) Deletion of data. Upon cancellation of your account, or at any prior time upon your written request, we will at your choice either delete all copies of your Survey Recipient Data from our systems within one month or return such Survey Recipient Data to you. We are not liable for any loss or damage following, or as a result of, such deletion or return, and it is your responsibility to ensure that any Survey Recipient Data which you require is backed-up or replicated before deletion or return.
(3) Return of data media. If, in connection with our Services, we have received from you any data media containing Survey Recipient Data, we will return to you any such data media still in our possession at the time of cancellation of your account or upon your written request. (4) Continued use for legal obligations. Notwithstanding the above, we will retain only those Survey Recipient Data which are required to comply with our legal obligations, resolve disputes, and enforce our agreements.
§ 12 Service Analyses
(1) Service Analyses. We may (i) compile statistical and other information related to the performance, operation and use of our Services, and (ii) use data from our Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses (i) and (ii) are collectively referred to as "Service Analyses").
(2) No Personal Data in Service Analyses. Service Analyses will not incorporate Customer's Survey Recipient Data in a form that could identify or serve to identify any Survey Recipient. zenloop retains all intellectual property rights in Service Analyses.
§ 13 Duties to Notify and Further Support
(1) Notification of (governmental) searches and seizures. We will, without undue delay, inform you if your Survey Recipient Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in our control. In such event, we will inform all pertinent parties in such action, that any data affected thereby is in your sole property and area of responsibility, that data is at your sole disposition, and that you are the responsible body in the sense of the GDPR.
(2) Notification of incidents and breaches. We will, without undue delay, inform you if we determine that (i) your Survey Recipient Data has been subject to a security incident (including by a zenloop employee) or (ii) there has been a breach by zenloop (including by a zenloop employee) of Data Protection Laws applicable to the performance of our Services to you or of any or any of the provisions set forth in this Data Processing Agreement. In such event, we will promptly investigate the security incident or breach and take reasonable measures to identify its root cause and prevent a recurrence.
(3) Assistance. In the event that, due to the security incident or breach, you are required to fulfill any disclosure obligations in accordance with article 33 GDPR, we will support you fulfilling such obligations, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.
(4) Further Support. In addition to our assistance obligations above, we will assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to us, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.
§ 14 Changes
(1) Changes to these terms. zenloop may change these terms at any time for a variety of reasons, such as to reflect changes in applicable law, to reflect updates to our Services or the technical and/or organizational measures we employ, and to account for new Services or functionalities.
(2) Notification of changes. Typically, we will not notify you in advance when we modify or update the terms of this Data Processing Agreement. However, when you first log in to our Site after such modification or update, we will notify you of the change by electronic means. If you continue to use our Services following such notice, you consent to any such amendment or modification, unless zenloop receives a timely objection from you. (3) Current version. Amendments to these terms will be effective immediately when posted on our Site. You are responsible for ensuring familiarity with the latest terms of our Data Processing Agreement. You can always find the most current version of our terms at https://www.zenloop.com/de/legal/data-processing.
(1) Severability. Where individual provisions of this Data Processing Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Data Processing Agreement shall not be affected.
(2) Governing law and venue. This Data Processing Agreement is subject to German law. Any disputes arising out of or in connection with this Data Processing Agreement shall be exclusively submitted to the courts of Berlin.
Annex 1 - Data Protection Agreement (DPA)
Technical and organizational measures to ensure the security of processing
1. Measures to ensure confidentiality
1.1. Physical access control
Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.
Description of physical access control:
- Safety locks on doors
- Careful selection of cleaning staff
- Admission management: authorized personnel and scope of authorization are pre-defined
- Careful selection of security staff
- Further measures by service provider
1.2. Logical access control
Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.
Description of logical access control system:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- User rights are granted restrictively
- All log-ons / log-offs are recorded
- Use of central password policy
1.3. Data access control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.
Description of data access control:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- All data access is logged automatically
- Small number of system administrators
- Records and log files are analyzed regularly
1.4. Separation rule
Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.
Description of the separation control process:
- Systems allow for data segregation (multi-tenancy), data is segregated by software
- Productive systems and test systems are separated from each other
- Data sets can be accessed only through those applications which have been pre-defined
- Database user rights are issued and managed centrally
1.5. Pseudonymization measures
Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures.
Description of the pseudonymization:
- none due to work on a central server system
2. Measures to ensure integrity
2.1. Transmission and transport control
Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.
Description of the transmission and transport control:
- Unnecessary printouts are terminated
- No use of physical data carriers
- Comprehensive logging procedures
- No use of private data carrieres at at work
2.2. Input control
Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.
Description of the input control process:
- Logging of all system activities and keeping of these logs for at least six months
- Use of central rights management for entering, altering and deleting data
3. Measures to ensure availability and resilience
3.1. Availability control **
Measures to ensure that personal data are protected against accidental destruction or loss.
Description of the availability control system
- Backups are taken on a regular basis
- Backup and recovery plan is in place
- Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers
- Additionally diverse measure of server service providers
3.2. Quick recovery
Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.
Description of the measures for quick recovery:
- Data backup procedure
4. Measures for the regular testing and evaluation of the security of data processing
Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller.
Description of the order control measures:
- Involvement of external data protection officers for all data protection-related questions
- Formalized processes for data privacy incidents
Subprocessors pursuant to Data Processing Agreement
The Processor currently works with the following subcontractors and the Controller hereby agrees to their appointment. If data processing takes place outside the European Economic Area (EEA) or if access is made from outside the EEA, the following overview must also list the measures and guarantees that ensure an appropriate level of data protection during processing in accordance with Art. 44 GDPR ff. (e.g. EU Standard Contractual Clauses, certification according to EU-U.S. Privacy Shield, Binding Corporate Rules or other arrangements by the European Commission).
Company: salesforce.com, inc.
Data processing activities: Data center
Data location: Frankfurt, Germany
2. Amazon Web Services
Company: Amazon Web Services, Inc. ("AWS")
Data processing activities: Data center
Data location: Ireland and Frankfurt zone https://aws.amazon.com/about-aws/global-infrastructure/
Company: Elasticsearch B.V.
Data processing activities: Search engine, indexing, search criteria.
Data location: Ireland https://elastic.co